I am moving one of my sites over to a new script.
Rather than have to go thru all the motions to convert an md5 varchar40 password to a sha256 varchar64 with salt password i am thinking it would be better to just assign a random password to each account, then have the members use the forgot password routine to set their password back..

Sounds like it would work must better. Besides its only a 200 member site.

05-13-2013, 02:48 AM

itxtme

Two better options (both require more work) would be to either

1)

Add the new SALT + Sha256 below the current one, so you are salting then encrypting the MD5.

2) Setup as part of your login a request to reset password prompt upon login. More professional, you would just need an extra column in your passwords to see if they use new or old. And then in your login script use the login script based on old or new..

I guess the question is will your customers believe you, or will they think you have lost their passwords -> loss of business

05-13-2013, 03:23 AM

felgall

The only way to make the change without your visitors knowing would be if you add the new password field while retaining the old one.

The first time they log in after you make the change you hash their password both ways to validate against the old field and to save in the new field. You then clear the old field to indicate that any subsequent logins should validate against the new field.

Once all the old password fields have been cleared through everyone having logged in and set their new hash you can then delete that column from the database.

That's the only way you can convert from one hash to a different hash as only the individuals know what their actual password is to be able to enter it.

05-13-2013, 10:26 AM

tangoforce

I'm with felgall on this as it offers a completely transparent update that your users will never notice and that is really the best way forward. Requiring all your users to reset their passwords will be unwanted hassle for your users.

05-13-2013, 02:41 PM

durangod

Thank you all, appreciate all your input... well the users do know about the conversion, i sent out a mass email asking them for their input and that i had the idea about changing the script over to a FB (facebook) dashboard style front end. Although i personally hate FB their front end style does seem to be poplular and my traffic is suffering.

So as i said i sent out a mass email explaining my idea that changing the front end may result in more traffic and more traffic means more potential members. I very rarely get feedback from emails like this from the members but i do it as a courtesy. But this time a ton of them wrote back and said heck yes, although they like my site they LOVE the FB layout and they cant wait for me to convert.

So i guess im commited to the idea now hell or high water lmao... :)

But anyway they do know that there may be some data loss and may be some site down time..